Privacy: Compliance for Clinics in Alberta

Privacy Laws Applicable to Clinics in Alberta

Clinics operating in Alberta are subject to different privacy obligations depending on their professional designation and how they handle health information.

The most stringent framework is Alberta’s Health Information Act (HIA), which applies to clinics and practitioners who qualify as custodians under the legislation. Custodians are legally responsible for how individually identifying health information is collected, used, disclosed, and safeguarded.

You can review the legal definition of a custodian and the applicable scope in the Health Information Regulation, Sections 2(1) and 2(2):
https://www.qp.alberta.ca/documents/Regs/2001_070.pdf

Under Section 60 of the Health Information Act, custodians have a statutory duty to protect health information by putting appropriate administrative, technical, and physical safeguards in place:
https://www.qp.alberta.ca/documents/Acts/H05.pdf

Colib is built to support clinics in fulfilling this responsibility by providing a secure, access-controlled environment for managing client and patient data.

For clinics and practitioners not covered by the Health Information Act, Alberta’s Personal Information Protection Act (PIPA) applies instead. PIPA governs how private-sector organizations handle personal information in commercial activities and similarly requires reasonable safeguards to protect privacy:
https://www.qp.alberta.ca/documents/Acts/P06P5.pdf

Privacy Impact Assessment (PIA)

If your clinic is subject to the Health Information Act, completing a Privacy Impact Assessment (PIA) is a legal requirement when implementing a new system or making material changes to how health information is managed.

For organizations not governed by HIA, submitting a PIA is not mandatory. However, the Alberta Office of the Information and Privacy Commissioner (OIPC) strongly encourages PIAs for projects involving personal information, particularly when data is shared between multiple parties.

Official guidance from the OIPC can be found here:
https://oipc.ab.ca/resources/privacy-impact-assessments/

What Is a Privacy Impact Assessment?

A Privacy Impact Assessment (PIA) is a documented review process that helps clinics understand and mitigate privacy risks before launching or modifying systems that handle personal or health information.

A PIA is intended to:

• Confirm compliance with the Health Information Act

• Identify risks related to data access, storage, and disclosure

• Ensure safeguards are proportionate to the sensitivity of the information

• Assess potential impacts on patient and client privacy

Rather than being a one-time exercise, a PIA should be revisited as systems and workflows evolve.

Privacy Impact Assessment Obligations Under HIA

The Health Information Act clearly outlines when and how a PIA must be completed:

• HIA Section 64(1)
  Custodians must prepare a privacy impact assessment describing how proposed administrative practices and information systems related to the collection, use, and disclosure of individually identifying health information may affect individual privacy.

• HIA Section 64(2)
  The privacy impact assessment must be submitted to the Information and Privacy Commissioner before implementing any new practice, system, or significant change to existing ones.

Full legislation text:
https://www.qp.alberta.ca/documents/Acts/H05.pdf

Practical Tips for PIA Submission

When preparing a PIA that involves Colib, clinics typically follow these best practices:

• Complete and submit the PIA before going live with Colib.

• Attach Colib’s Privacy Policy and Terms & Conditions as supporting documents:
  https://www.colib.io/Privacy
  https://www.colib.io/Terms

• Request Colib’s Information Management Agreement (IMA), which outlines Colib’s role and responsibilities when processing health information on behalf of your clinic.

• Include a cover letter signed by the clinic owner or designated privacy lead.

• Update and resubmit your PIA whenever there is a significant change to systems, integrations, or data-sharing practices.

Supporting Privacy Compliance with Colib

Beyond regulatory documentation such as PIAs, clinics must also rely on day-to-day operational controls to protect privacy. Colib includes built-in security and privacy features designed to help clinics meet Alberta’s legislative requirements and follow recognized privacy best practices.

How Colib Protects Your Data

• Clear privacy commitments
  Colib’s Privacy Policy and Terms & Conditions clearly define how personal and health information is collected, used, and protected.

• Signed, locked, and timestamped clinical notes
  Charts and notes are securely signed, locked, and timestamped to preserve data integrity and support audit requirements.

• 2FA authentication for clients (Client portal) and practitioner (Colib.io)

• IP access restrictions
  Clinics can define a list of authorized IP addresses (for example: home offices or clinic locations) to ensure that only approved networks can access client data.

• Granular access control
  The clinic or account owner decides exactly who can access which information within Colib, based on staff roles and responsibilities.

• Individual user accounts & strong authentication
  Every Colib user must log in with their own credentials, ensuring full traceability of actions within the platform.
  Accounts are automatically locked after multiple failed login attempts and can be securely restored using the “forgot password” process.

• Comprehensive activity logs
  Clinic owners can review detailed audit logs to see when client data was accessed or modified, and by whom.

• Canadian data hosting & backups
  All health information is securely stored in Canadian data centres and backed up regularly to ensure availability and protection.

• Flexible charting options
  Charting tools are designed to adapt to different regulatory and professional documentation requirements.

• Customizable electronic forms
  Clinics can create electronic forms to inform patients of their privacy rights and collect consent in a clear, compliant manner.

• Real-time data saving
  Data is saved automatically and continuously as you work in Colib, reducing the risk of data loss.

• Industry-standard data security practices

  • Encryption of data at rest and in transit 

  • Secure key management practices

  • Logical separation between production, testing, and development environments

Colib’s Role as an Information Manager under Alberta’s Health Information Act

When clinics in Alberta are governed by the Health Information Act (HIA), Colib acts as an Information Manager on behalf of the clinic.

An Information Manager is an organization that collects, uses, stores, or discloses individually identifying health information for a custodian, in order to deliver a service. In this context, the clinic or practitioner remains the custodian of the health information at all times, while Colib provides the technical platform used to manage that information.

Colib does not become the custodian of health information. Our role is limited to processing health information strictly in accordance with the custodian’s instructions and applicable legislation.

More information on the definition and obligations of Information Managers can be found in Alberta’s Health Information Act and related regulations:
https://www.qp.alberta.ca/documents/Acts/H05.pdf

Information Manager Agreement (IMA)

Under the Health Information Act, custodians are required to have a written agreement in place with any Information Manager they engage. This agreement is commonly referred to as an Information Manager Agreement (IMA).

Colib provides an Information Manager Agreement to clinics that are subject to the Health Information Act. This agreement is designed to support the custodian’s compliance obligations and to clearly define Colib’s responsibilities when handling health information on their behalf.

A typical Information Manager Agreement with Colib outlines, among other things:

• That Colib uses health information only to provide the services requested by the custodian and in accordance with their instructions

• That health information is not reused or repurposed (including for analytics or AI training) without the custodian’s explicit authorization

• Colib’s obligations regarding administrative, technical, and physical security safeguards

• Incident management and notification responsibilities in the event of a privacy or security incident

• Procedures for the return or secure destruction of health information at the end of the contractual relationship

If you require an Information Manager Agreement (IMA) to be signed between Colib and your clinic, please contact us at support@colib.io

For more details, you can review Colib’s full list of security features or consult the Alberta Health Information Act (HIA) Guidelines and Practices Manual for official regulatory guidance.

Still Have Questions?

If you have questions about privacy, security, or this guide, feel free to contact us at support@colib.io.
We’ll be happy to help clarify anything or walk you through how these features work in practice.